feat: Implement signal delivery for x64 sandbox#15
Conversation
| .opts = opts, | ||
| }; | ||
|
|
||
| lfi_linux_register_sighandler(engine); |
There was a problem hiding this comment.
Let's keep this disabled in SYS_MINIMAL mode. The static functions will also need to be gated to avoid being unused function warnings.
| __builtin_unreachable(); | ||
| } | ||
|
|
||
| if (!arch_forward_signal(lfi_cur_ctx(), sig, si, ucontext)) { |
There was a problem hiding this comment.
lfi_cur_ctx() will dereference lfi_invoke_info.ctx, which may be null on a thread that is not in a sandbox (signal could arrive at any time). Either that function should be modified, or this call site should additionally check that lfi_invoke_info.ctx is valid before calling that.
There was a problem hiding this comment.
I've updated the function. I feel like engine should be accessible even without ctx (or LinuxProc or LinuxThread) when engine gets initialized first before setting lfi-Invoke_info.ctx. Is there any reason why lib_engine exists only for libraries?
| sp -= kRedzoneSize; // skip redzone | ||
| sp = ROUNDDOWN(sp, 16); | ||
| sp -= sizeof(sf); | ||
| assert((sp & 15) == 8); |
There was a problem hiding this comment.
We should probably validate sp here to make sure it is still within the sandbox.
| struct LFILinuxEngine *engine; | ||
|
|
||
| // Per-signal handler table. | ||
| struct SigActionEntry signals[LINUX_NSIG]; |
There was a problem hiding this comment.
I think we need a lock to protect this.
t-noh
force-pushed
the
x64-signal-pr
branch
2 times, most recently
from
5829167 to
a98f6a4
Compare
Add support for forwarding SIGSEGV/SIGILL to sandbox-registered signal handlers on Linux x86_64. * Define x86-64 signal frame types (SigFrame, SigInfo, UContext, FPState, SigAction) to arch_types.h * Register host-level sigaction for SIGSEGV, SIGILL, SIGBUS on linux engine init, chaining to prior handlers when not handled * Implement rt_sigaction and rt_sigreturn syscalls; replace prior stubs * Add per-process signal handler table (signals[LINUX_NSIG]) to LFILinuxProc * Implement arch_forward_signal: builds a (partial) signal frame on the sandbox stack, runs the sandbox handler via lfi_ctx_run, reads back the modified frame on return, and validates/restores RIP * Fix lfi_ctx_run to save/restore invoke_info.ctx around lfi_ctx_entry to support nested sandbox entry
2 participants
With this feature, now lfi-runtime can support programs that install custom SIGSEGV/SIGILL handler (e.g., JS runtime) on Linux x86_64. Restoring FP regs is not supported.
This PR requires musl with c28e53
Let me know if you think it is better to force align the unaligned restorer instead of emitting an error.